Having worked with the Federal government you are woefully misinformed. There likely is a policy statement announcing that passwords are being phased out, but I can assure they were alive and well past 2004.
There was a Presidential Directive signed by George W. Bush in August of 2004 [0] that resulted in follow-up actions by every department of the executive branch of the US Government, the creation of the physical infrastructure, annual reports on compliance.
As someone who has worked with the DOD OCIO on this, I am likely significantly more informed than you and the assertion to the contrary is unfounded and likely incorrect.
... do you think that's the only way it applies ? Did you read it ?
It says that no other method of authentication to US Government (exempting specifically national security systems) except for the approved method may be used. Since there are no passwords in the list of strong authenticators, it's not permitted.
Here are the relevant sections pieced together so you can't miss it:
Note "Mandatory"
> establishing a mandatory, Government-wide standard for secure and
> reliable forms of identification issued by the Federal Government
> to its employees and contractors (including contractor employees)
Note that the definition of the phrase used above excludes passwords:
> "Secure and reliable forms of identification" for purposes of this
> directive means identification that (a) ...; (b) is strongly resistant
> to identity fraud, tampering, counterfeiting, and terrorist exploitation;
This is the part that says they have 8 months after the August publication
of HSPD-12 to comply with the above, and specifically for US Government
computers (called Information Systems).
> As promptly as possible, but in no case later than 8 months after the
> date of promulgation of the Standard, the heads of executive departments
> and agencies shall, to the maximum extent practicable, require the use
> of identification by Federal employees and contractors that meets the Standard
> in gaining [...] logical access to Federally controlled information systems.
> Departments and agencies shall implement this directive in a manner
> consistent with ongoing Government-wide activities, policies and
> guidance issued by OMB, which shall ensure compliance.
So, upon... actually reading HSPD-12 there's no interpretation that can be made where passwords are permitted to access unclassified systems... aka, my original statement.
